Enable OCSP to improve https certificate verification efficiency and solve the problem of slow access to Let's Encrypt SSL certificates

In the past few days, the website has been accessed very slowly when it is opened for the first time, but the page opens normally afterwards. After research, it was found that the problem was the HTTPS certificate verification timeout, and the verification URL of the certificate provider could not be accessed. I don't know if it was a line problem or a firewall.

I asked several experts how to solve the problem of HTTPS certificate verification timeout. The solutions given were to either change the certificate provider or enable OCSP.

How can a poor person like me afford the HTTPS certificate from a big company? I can only adopt the second solution and start OCSP.

If a website has deployed a free Let's Encrypt certificate, the first time you open the website using https, it will appear very slow and often take four or five seconds to open normally. This is due to special reasons: the ocsp.int-x3.letsencrypt.org server IP cannot be resolved normally.

In order to improve the website access experience, you can enable OCSP Stapling to solve the problem of slow access when visiting the website for the first time.

This article's environment:

Pagoda Panel

CentOS 7 / Windows 2012 R2

Apache / Nginx

1. Enable OCSP Stapling for overseas servers

1. Configure the system's Apache or Nginx information

Apache enables OCSP:

① Find the Apache installation directory and edit the httpd-ssl.conf file in the directory. The directory in CentOS system is: /www/server/apache/conf/extra/httpd-ssl.conf, and the directory in Windows system is: C:/BtSoft/apache/conf/extra/httpd-ssl.conf. Remove the comments of the following two lines in the file:

SSLUseStapling On

#CentOS:

SSLStaplingCache "shmcb:/www/server/apache/logs/ssl_stapling(32768)"

#Windows:

SSLStaplingCache "shmcb:C:/BtSoft/apache/logs/ssl_stapling(32768)"

If the above two lines are not in the file, add them manually.

②Edit the httpd.conf file. The directory in CentOS is: /www/server/apache/conf/httpd.conf, and the directory in Windows is: C:/BtSoft/apache/conf/httpd.conf. Uncomment the following line in the file:

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

If the above line does not exist in the file, add it manually.

③Configure the Apache information of the website. In the configuration file of the website, add the following information:

SSLUseStapling On

#CentOS:

SSLStaplingCache "shmcb:/www/server/apache/logs/ssl_stapling(128000)"

#Windows:

SSLStaplingCache "shmcb:C:/BtSoft/apache/logs/ssl_stapling(128000)"

The above information can be added above this line <VirtualHost *:443>.

At this point, OCSP Stapling has been enabled on Apache. Just restart Apache.

Nginx enables OCSP:

Directly in the website's Nginx configuration file, add the following information:

server {

listen 443;

………

ssl_stapling on; # Enable stapling

ssl_stapling_verify on; # Enable stapling verification

…

}

Save and restart Nginx.

2. Enable OCSP Stapling for inland servers

The steps are the same as in the first paragraph. After enabling OCSP Stapling, you also need to edit the hosts file and specify the IP address of the ocsp.int-x3.letsencrypt.org server.

The IP addresses of the ocsp.int-x3.letsencrypt.org servers are as follows:

23.44.51.8 (United States)

23.44.51.27 (United States)

104.109.129.57 (United Kingdom)

104.109.129.11 (United Kingdom)

175.45.42.209 (Hong Kong)

175.45.42.218 (Hong Kong)

223.119.50.201 (Hong Kong)

223.119.50.203 (Hong Kong)

23.32.3.72 (Tokyo)

Edit the hosts file. The path in Windows is: C:\windows\system32\drivers\etc\hosts, and the path in Linux is: /etc/hosts. Add the following information:

175.45.42.218 ocsp.int-x3.letsencrypt.org

Just restart Apache or Nginx.

3. Verify whether OCSP Stapling is enabled successfully

1. Use the following command in SSH:

openssl s_client -connect www.yourwebsite.com:443 -servername www.yourwebsite.com -status -tlsextdebug < /dev/null 2>&1 | grep -i "OCSP response"

If the site returns OCSP response: no response sent, it means the activation failed.

If the site has successfully enabled OCSP Stapling, a prompt will be returned with "successful".

2. Open the following URL and enter your website to detect:

https://www.getssl.cn/ocsp

If your website appears to be slow when you first open it, and it is also https, you may want to check if there is a problem with the certificate.

Please follow 123WORDPRESS.COM to learn more about the problem of slow website opening speed